{"id":55133,"date":"2008-08-29T02:18:00","date_gmt":"2008-08-29T02:18:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2008\/08\/29\/hey-scripting-guy-whats-going-on-in-the-service-host-process\/"},"modified":"2008-08-29T02:18:00","modified_gmt":"2008-08-29T02:18:00","slug":"hey-scripting-guy-whats-going-on-in-the-service-host-process","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-whats-going-on-in-the-service-host-process\/","title":{"rendered":"Hey, Scripting Guy! What’s Going on in the Service Host Process?"},"content":{"rendered":"

<\/p>\n

<\/span><\/font><\/span><\/font><\/h2>\n

\"Hey, <\/p>\n

Hey, Scripting Guy! I think I might have a problem on my server. When I go into Task Manager, all the processes that are eating up the most CPU time and the most memory are the stupid svchost.exe process. I know this is the Service Host process and that it is being used by multiple services, but how can I know what is really going on in there?<\/p>\n

– JH<\/p>\n

\"Spacer\"\"Hey,<\/a> <\/p>\n

Hi JH,<\/p>\n

Scripting Guy at your service. Or is it at your Service Host? Yes, I know, I’m eating your CPU time with lame comedy. Let’s go.<\/p>\n

To look into the Service Host process, what we need to do is first find all the processes with the name ofsvchost.exe<\/b>. Next we need to find the handle of each one so we can uniquely identify it. Next we need to find all the services that are using a particular process ID, match them up with the handles we had earlier, and we have your answer. Here is the GetServicesInSvchost.ps1<\/b> script: <\/p>\n

$aryPid = @(Get-WmiObject win32_process -Filter \"name='svchost.exe'\") | \n  Foreach-Object { $_.Handle } \n\n\"There are \" + $arypid.length + \" instances of svchost.exe running\"\n\nforeach ($i in $aryPID) \n{ \n Write-Host \"Services running in ProcessID: $i\" ; \n Get-WmiObject win32_service -Filter \" processID = $i\" | \n Format-Table name, state, startMode \n}\n<\/pre>\n
Our script begins by using WMI to find all the processes that are named svchost.exe<\/b>. To do this, we use the Get-WmiObject<\/b> cmdlet. For each of these processes we find, we obtain the handle and assign the resulting array of handles to a variable aptly named $aryPid<\/b>. This line of code is seen here: <\/p>\n
$aryPid = @(Get-WmiObject win32_process -Filter \"name='svchost.exe'\") | \n  foreach-object { $_.Handle }\n<\/pre>\n
Once we have an array of process IDs for all the svchost<\/b> processes, we use the length<\/b> property to count how many we actually have running. This is not important for the actual script; however, it is very important for our sanity. It is also a nice reality check to assure us the script is working properly. For example if the $ary.length<\/b> is equal to 1, but you see the following in Task Manager, you can be assured you have a problem:<\/p>\n
\"Svchost <\/p>\n
 <\/p>\n
Now we want to walk through the array contained in the $aryPid<\/b> variable. To do this, we will use the foreach<\/b> statement. We need to use a variable to keep track of things, we choose the $i<\/b> variable. This line of code is seen here:<\/p>\n
foreach ($i in $aryPID) <\/pre>\n
To produce a header for our report, we use the Write-Host<\/b> cmdlet to print out the processID<\/b> of the current process we are working with, which is represented by the variable $i<\/b>. We end the line with a semicolon as we want to continue the command. This is seen here:<\/p>\n
Write-Host \"Services running in ProcessID: $i\" ;<\/pre>\n
We now need to do another WMI query. This time, we will query from the Win32_Service<\/b> WMI class. We use a filter to limit our query to services that have a particular ProcessID value. We are interested in finding all services that have a ProcessID that is the same as one of our running versions of the Svchost.exe<\/b> processes. When we find a service with a ProcessID that matches a Svchost.exe<\/b> process, we have our answer. We decide to organize our data as a table and print out the name<\/b>, state<\/b>, and startmode<\/b> of the service. This line of code is seen here: <\/p>\n
 Get-WmiObject win32_service -Filter \" processID = $i\" | \n Format-Table name, state, startMode \n<\/pre>\n
When we run the script, we obtain a report that is similar to the one seen here:<\/p>\n
\"Svchost <\/p>\n
 <\/p>\n
In the end, JH, it did not take super scripting powers after all. It was a rather tame script, and leveraging the ease in which Windows PowerShell does WMI, it was actually pretty short as well. To be perfectly candid, we could have written the script in a single line as seen here: <\/p>\n
get-wmiObject win32_process -filter \"name='svchost.exe'\" | \nforeach { gwmi -query \"Select * from win32_service where processID = $($_.handle)\" } | \nsort processID, Name | \nformat-table processID, name, state, startmode -AutoSize\n<\/pre>\n
But it would have been a really long line. Hope this script gives you some x-ray eyes and allows you to remove some of the mystery surrounding the svchost<\/b> process.<\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/b><\/b><\/span><\/font><\/p>\n
<\/b><\/font><\/span><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I think I might have a problem on my server. When I go into Task Manager, all the processes that are eating up the most CPU time and the most memory are the stupid svchost.exe process. I know this is the Service Host process and that it is being used by multiple […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[31,87,3,39,45],"class_list":["post-55133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-operating-system","tag-processes","tag-scripting-guy","tag-services","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I think I might have a problem on my server. When I go into Task Manager, all the processes that are eating up the most CPU time and the most memory are the stupid svchost.exe process. I know this is the Service Host process and that it is being used by multiple […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/55133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=55133"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/55133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=55133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=55133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=55133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}